Closed rayluo closed 7 months ago
here comes this (evil?) PR
Interestingly, 666 is a positive/luckily number in Chinese, expressing "good" and "proficient": https://en.wikipedia.org/wiki/666_(number).
[celebrate] Yong Zhang reacted to your message:
From: Jiashuo Li @.> Sent: Wednesday, March 20, 2024 12:55:06 AM To: AzureAD/microsoft-authentication-library-for-python @.> Cc: Subscribed @.***> Subject: Re: [AzureAD/microsoft-authentication-library-for-python] Implement remove_tokens_for_client() (PR #666)
here comes this (evil?https://en.wikipedia.org/wiki/Number_of_the_beast) PR
Interestingly, 666 is a positive/luckily number in Chinese, expressing "good" and "proficient": https://en.wikipedia.org/wiki/666_(number).
— Reply to this email directly, view it on GitHubhttps://github.com/AzureAD/microsoft-authentication-library-for-python/pull/666#issuecomment-2008473271, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AM4LM2FYOGKXKGF6VSXGH6TYZDM6VAVCNFSM6AAAAABDFNEKNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBYGQ3TGMRXGE. You are receiving this because you are subscribed to this thread.Message ID: @.***>
The implementation is not complete. After running remove_tokens_for_client()
, the ghost of the service principal still lingers in AppMetadata
:
{
"AccessToken": {},
"AppMetadata": {
"appmetadata-login.microsoftonline.com-a7003d8c-e50f-4371-91a6-ef37bba4ab23": {
"client_id": "a7003d8c-e50f-4371-91a6-ef37bba4ab23",
"environment": "login.microsoftonline.com"
}
}
}
What if I lose track of service principals client IDs? How do I purge all service principals' access tokens, while keeping users' access tokens?
What if I lose track of service principals client IDs? How do I purge all service principals' access tokens, ...?
Hmm, MSAL's ClientApplication
always requires client_id
as its required parameter. This question sounds as strange as "what if I forgot my local Windows username, how do I purge all users' content from the current PC?". Is there a legit scenario for that? That being said, I suppose you can do format c:
or its equivalent rm ~/.azure/msal_token_cache.json
if desirable.
How do I purge all service principals' access tokens, while keeping users' access tokens?
You would have to create different ClientApplication
objects with different token cache persistence files, so that you may be able to delete some of those files.
The implementation is not complete. After running
remove_tokens_for_client()
, the ghost of the service principal still lingers inAppMetadata
:{ "AccessToken": {}, "AppMetadata": { "appmetadata-login.microsoftonline.com-a7003d8c-e50f-4371-91a6-ef37bba4ab23": { "client_id": "a7003d8c-e50f-4371-91a6-ef37bba4ab23", "environment": "login.microsoftonline.com" } } }
The residue of AppMetadata
is technically not an incomplete implementation. The AppMetadata
was meant to be persisted forever, because (1) they would be used to remember whether an app belongs to a "family" (although that characteristic does not necessarily apply to service principal); (2) they contain no sensitive tokens anyway.
This question sounds as strange as "what if I forgot my local Windows username, how do I purge all users' content from the current PC?".
This is possible for user accounts logged into MSAL as users can be retrieved with ClientApplication.get_accounts()
:
Azure CLI has a logout_all_users()
which removes all users, but logout_service_principal()
is currently incomplete due to no equivalent of ClientApplication.get_accounts()
.
although that characteristic does not necessarily apply to service principal
I agree the client ID for user authentication (such as Azure CLI's client ID) is not sensitive, but some users may treat service principal's client ID as sensitive date and want it to be "obliviated".
Based on this understanding, here comes this (evil?) PR, which will resolve #640 and resolve #650